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• OBJECTIVES 

o DEVELOP RELIABILITY ASSESSMENT TOOLS 

* SOPHISTICATED SYSTEM CONFIGURATION 


♦ MULTIPLE SOURCES OF UNCERTAINTY 
o EVALUATE THE APPLICABILITY OF SURE W AND 



♦ SURE: SEMI-MARKOV UNRELIABLE! 1 Y RANGE EVALUATOR 


APPLICABLE TO A LARGE CLASS OF SEMI-MARKOV MODELS 


— EFFICIENT AND ACCURATE 
— AVAILABLE FOR VMS/UNIX/MS-WINDOWS OS’ 

♦ ASSIST: ABSTRACT SEMI-MARKOV SPECIFICATION INTERFACE TO THE 


SURE TOOL 

MODEL GENERATION TOOL FOR DIRECT INTERFACE WITH SURE 

- POWERFUL AID TO MODELING COMPLEX SEMI-MARKOV PROCESSES 

- AVAILABLE FOR VMS/UNIX/MS-DOS OS’ 

♦ JUSTIFICATION FOR FURTHER COMPUTATION SIMPLIFICATIONS 


— ON-LINE DECISIONS 


-UTILITY 
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* SOME BACKGROUND 

o MARKOV PROCESS^: 

{X(t) | t e (0, oo)} IS A MARKOV PROCESS IF V Ift < t\ ••• < t n < 
t , THE CONDITIONAL DISTRIBUTION OF X{t) FOR GIVEN VALUES OF 
X(tu), •••, X '(t n ) DEPENDS ONLY ON X(t n ) 

P(X(t) < x | X(£„) = x n , , X(fo) = xn) = P(X(t) < x ( X{t n ) = x n ) 

* HOMOGENEOUS MARKOV PROCESS: 

P(X(t) < X | X(t n ) = X n ) = P(X(t ~t n )<X | X(0) = X n ) 

— WHITE’S INTERPRETATION: 

CONSTANT RATE 

INDEPENDENT COMPETING EVENTS 
INDEPENDENT SEQUENTIAL EVENTS 
=> 

F{t) (TIME a PROCESS SPENDS IN A STATE) IS EXPONENTIAL 
P{T <t) = F(t) = 1 - e~ F ' m 

* SEMI-MARKOV PROCESS: A MARKOV PROCESS WHOSE DISTRIBUTION 
IS NOT EXPONENTIAL 
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• EXAMPLE: AFTl/F-16 FAULT TOLERANT FCS^] 


Signal 


Command 

Effector 

processor 


sensors 

interface 


Functional dependency of subsystems in the FTFCS 



Standard Less standard 


o A PARALLEL-TO- SERIES INTERCONNECTION OF 5 BLOCKS 

* FLIGHT CRITICAL PROCESSORS 

— POWER SUPPLIES, DIGITAL PROCESSORS 

* I/O CONTROL MODULE 

* PILOT COMMAND SENSOR 

* AIRCRAFT STATE SENSOR 

* EFFECTOR 

ACTUATORS, SURFACES, INTERFACE UNITS 
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• SOME PROPERTIES OF THE RELIABILITY MODEL 


• PROPERTIES (CONT’D) PECULIAR TO FUNCTIONAL REDUNDANCY 


o BUILDING BLOCKS: SUBSYSTEMS (NO SPARES, NO REPAIRS) 
o REDUNDANCY TYPE: HARDWARE AND FUNCTIONAL 
o FAILURE: CONTROL PERFORMANCE DEPENDENT 
S UBS Y ST E M FA I L U R E 

LACK OF REDUNDANT CONTROL AUTHORITY 
o FAILURE DETECTION: RESIDUE BASED 
RESIDUALS ARE NOISY 

RECONFIGURATION DECISIONS INVOLVE RISKS 
o MISSION TIME t m : SHORT 

o HOLDING TIME DISTRIBUTION F(t): DIFFICULT TO DETERMINE 
NO BASIS FOR ASSUMING EXPONENTIAL 
POSSIBLE TO BOUND BY EXPONENTIAL DISTRIBUTIONS 

1 - e~ x ‘ f < F{t) < 1 - e” v , t < t m 

o WHAT TO EXPECT? 

RIGHT ORDERS OF MAGNITUDE 


o SYSTEM ARCHITECTURE: MORE COMPLEX IN GENERAL 

* LESS SYMMETRY => HARDER TO OBTAIN A RELIABILITY MODEL 
o DEATH STATE: DICTATED BY RELIABILITY REQUIREMENTS 

* INOPERATIVE WITH MAJORITY 

* OPERATIVE WITHOUT MAJORITY 

* NO. 1 CAUSE OF DEATH UNSUCCESSFUL RECONFIGURATION 
FALSE ALARM 

MISS DETECTION 
FALSE IDENTIFICATION 
— FALSE RECONFIGURATION 

* EXHAUSTION OF FUNCTIONAL REDUNDANCY 
o COVERAGE C{t): NECESSARY 

* HIGHLY SCENARIO DEPENDENT; 

* VERY DIFFICULT TO ESTIMATE; 

* HIGHLY TIME DEPENDENT; 

* HARD TIME LIMIT (t„ mj < DEPARTURE TIME) 


C(t) « C(t max ) 
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• AN EXAMPLE OF CALCULATED COVERAGE 
o SCENARIO —75% LOSS OF CANARD EFFECTIVENESS 
o DATA 

— MODEL OF THE AIRCRAFT 

MEASURED ANGLE OF ATTACK AND PI TCH ANGLE 
o FACTORS AFFECTING THE VALUE OF COVERAGE 

PERFORMANCE OF CONTROL, DIAGNOSTIC, DECISION MODULES 
o RESULTS 

A LUCKY SITUATION OF ACHIEVING 0.9999 AFTER 4.2 SECONDS 

— AT T=0.5S, LOWER BOUND OF COVERAGE IS ONLY 0.75 


/ 

/ 

/ 
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• RELIABILITY ANALYSIS OF THE PROCESSOR BLOCK 



Semi-Markov process: 

Degradable 4-plex with full reconfiguration 

o BLOCK FAILURE PROBABILITY BOUNDS 


A - 10“ a 

ft e [i(r 4 ,io n ] 

a = HP 2 

Coi — C 12 ~ = 1 

t,„ - 1 
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• RELIABILITY ANALYSIS OF THE PROCESSOR BLOCK 
RECONFIGURATION IS NOT COMPLETE 


4>.(l- 

3>.(1-C, 

2X(l 

Semi- Markov process: 

Degradable 4-plex with incomplete reconfiguration 
o BLOCK FAILURE PROBABILITY BOUNDS 

A = 1()~ 5 


/i = lO" 1 
a — 10~ 2 
C ln e [0.99,1.0] 
C 12 G [0.95, 1.0] 
C n 6 [0.90, 1.0] 
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• SURE RELIABILITY ANALYSIS OF THE PROCESSOR BLOCK 
INSTANTANEOUS REMOVAL OF A FAULTY SUBSYSTEM 


Markov process: 

Degradable 4-plex with incomplete reconfiguration 



o BLOCK FAILURE PROBABILITY BOUNDS 


A = 10“ 5 

i\ n 

Co 1 6 [0.99,1.0] 
C 12 € [0.95,1.0] 
On e [0.90,1.0] 
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• EFFECTS OF NEGLECTING REMOVAL TIMES 
o BLOCK FAILURE PROBABILITY BOUNDS 



\ i n-5 
A — xw 

n = nr 1 

C m € [0.99, 1.0] 
C, 2 6 [0.95, 1.0J 
C23 € [0.90, 1.0] 


o BI.OCK FAILURE PROBABILITY 



A = 10~ 5 

/i = 10 4 

Cm 6 [0.99,1.0] 
C12 6 [0.95, 1.0] 

C 23 e [0.90,1.0] 
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• FURTHER SIMPLIFICATION OF THE PROCESSOR MODEL 



Pf ~ (1 - Coi)4At„, 

o A SYSTEM WITH AN EQUIVALENT FIRST ORDER EFFECT 



o VALID IF RELATIVE TO THE FAILURE PROCESS 
REMOVAL OF FAULTY SUBSYSTEMS IS FAST 
MISSION TIME IS SHORT 
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• JUSTIFICATION OF 2ND APPROXIMATION 
o AN r + 1 STATE MARKOV PROCESS 



CD 


I = () indicates a death slate 

i > n-r indicates a stale with i operative subsystems and 
j inoperative subsystems that have not been removed 


o FAILURE OF AN 77-SUBSYSTEM BLOCK 
r OR MORE FAILED SUBSYSTEMS, OR 
— INCCORECT RECONFIGURATION DECISION 

o SOME NOTATIONS 

A: FAILURE RATE OF A SUBSYSTEM 
— t m : MISSION TIME 
—Pij(t): TRANSITION PROBABILITY 
—C t y. COVERAGE OF A TRANSITION 

i:j 


• COMBINATORY APPROACH 



Pm(t) 

Ihn(i) 

Pm{t) 

PQr{t) 


0 

Pn{t) 

Pn{t) 

••• Ph{t) 

P(t)~ 

0 

0 

P22[t) 

••• P2r{t) 


1 

0 



0 p rr (t) 


( n — i\ - , , 

'C, r l <J< r 

. . UMOU - 

\J~ l I 


p,j{t) = o, 

i > j 

Pir{t) = 1 - 
Prr(t) = 1 

()<?;< r 


where 


q(t) = (1 - e- Af ) 
IS THE SUBSYSTEM FAILURE PROBABILITY 


o TRANSITION RATE MATRIX Q = P( 0) 
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• AN ALTERNATIVE WHEN Q IS KNOWN 


P(t) = P(t)Q(t ) 

WHERE 

/V+UM'-rl) is the p.t.m. 

Q(/'U)x(rt 1) IS THE T.R.M. 

pf = [P(£)](l >r+ 1 ), t < t m 

o COMPOSITE FAILURE PROBABILITY 
OF m CASCADED BLOCKS 

rn 

i- n{i-ip,(0! ( i,,-ii} 

l L 
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—n A Qd/iA 0 0 [1 — C\n]'nA 

0 -(n-l)A C 12 (ti- 1)A 0 ••• [1 -C l2 |(n - 1)A 

Q= ! 0 

0 0 -(« - r+ 1 )A (7i - r I 1 )A 

n n o 

o Q INDEPENDENT OF t 
=> HOMOGENEOUS MARKOV PROCESS 

P(t) = e Qt 
= P N {~) 

ss ( / + Q--'! ,V , EULER APPROXIMATION 

1 V 

% (/■ + (?*), TAYLOR EXPANSION 

Pf = [P(£,„)](i,, + 1) 

= [1 — CoijnA^,,, 
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• APPROXIMATION ERROR 

Pf(t) = [P(t)kr^ 

= Wl.r + 1 

N 1 

= lim T-UQtY 1 j .. . , 

N — *oo . a A' J 
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• SOME REMARKS 
o GOOD APPROXIMATION 

(r + ])(n\tj 2 « (1 — C[)\)nXt 

OR 

C()\ < 1 — n 2 Xt 

o REDUNDANT SYSTEM VERSUS SIMPLE SYSTEM 


OR 


[1 - Coi\nXt m < X t m 

Cm > 1 - - 

n 


o IN GENERAL, 1 - Cqj DECREASES AS n INCREASES 
=> THERE IS AN n AT WHICH 


niin(l - Q n )nXt m 

IS ACHIEVED 
o EXAMPLE 


REDUNDANCY MANAGEMENT 71 Cm (1 - C{\\)n 

VOTING 4 0.992 0.032 

voting 3 0.99 0.03 

COMPARING 2 0.89 0.22 
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• ERROR DUE TO NEGLECTING REMOVAL TIMES 


• GENERAL ERROR BOUND FOR NEGLECTING REMOVAL TIMES 


o OMITTED PATHS TO DEATH STATES 


f ; 40\ 2/.C "jj 

o HIGHER RATES TO DEATH STATES 

Ci,, f i 1 , Fj(t) <— 1 


e = p f — vT“ < t ttEttO - e- A ‘) i e-«*-'- ,w 


i = 2 (n - i) 


n\ 


y>; 

2 [Tl - l\ 


~ r_ ^ 

( \*\1 lW \./-\2 \(. r . •' 1 'v’Wl' 

-\AL I — 1l\ ll. — i !( At, ) |\ //. — ~ / s\L | 

!-=() 


, , , 9 1 — [In - 2)Xt] 
~ Tl(rl - 1){M) l-[(n — 2 )Ai 


r — 1 


< ( n\t ) 2 , nAt < 


1 


r/ — 2 



o GOOD APPROXIMATION 


(1 - Coi)nAf >> (nXty 


e — Pf — pT rox < E n (5 - i)(l - e- At )e- (4 - i)Af 

J= 1 i-l 

< E n (5 — *)A = 4 - 3A 2 £(2 • A 2 t 2 + 2 • At + 1) 

J= 1 »-l 

< (4At) 2 , (A t) < i 


6oi << 1 — nAt 


o GOOD APPROXIMATION 

(1 - C 0 i)4At >> (4At ) 2 <=> Cm « 1 - 4A t. 
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• ANALYSIS OK THE EFFECTOR BLOCK 



• SURE AND ASSIST ARE NEEDED IN HIGH COVERAGE MODELS 
o A SIMPLE CASE STUDY 
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• EXAMPLE: DEGRADABLE 2-PLEX CONTAINING 3-PLEX-l-PLEX’S 

A 1 - IQ" 5 , A 2 = 5.0 x 10' G , t m = 1.0 



Cqi e [0.99,1.0] 
C\ 2 G [0.95,1.0] 

/"Vl ^ fn nn 1 m! 
U93 1 i ,U | 

C} n € [0.99,1.0] 


o A SIMPLIFICATION WITH AN EQUIVALENT FIRST ORDER EFFECT 
— 3Ai AND A 2 ARE OF THE SAME ORDERS OF MAGNITUDE 
- Cqj AND Co! ARE OF THE SAME ORDERS OF MAGNITUDE 



o SIMPLE FORMULA 

Pf = CA,|1 - C' m \t + 2A 2 (1 - Cni)<, * < t. 
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• USING ASSIST AND SURE 


(* Harkov 

(* Failure 
LA-1 . QE-b ; 
LB- b . OE-fc ; 
CAOl=0 .99; 
CA1 2 = 0 . 9S ; 
CA23-0 .90. 
CBO 1=0 .99, 
(* Input 1 


model generation for a 2-chanm 

(• subsystem failure rate tor 

(* coverage tor the 1st failui 
(• coverage ior the 2nd failu; 
<* coverage for the 3rd taiiu; 
(* coverage tor the failure 
Lo SURE for coverage variation 


"DELTA - 0.0 TO* I. Of" (* Delta times th( 


:1 3-plex-- 1-plex degradable 

block A (3-plex block)*) 
block B (1-plex block) *) 
e in block A •) 

re In block A *) 

'n in block A *) 

in block B •) 

') 

; coverage range = step size 


configuration* ) 


■ZAvi - . 9 9 i DELTA* ( 1 . D-0 . 99 ) ; * {* -ZAC 1 range# from S-99 to 1.2 *j 
“ C A 1 2 - 0 . 9!)* DELTA* ( 1 . 0-0 .95 ) ; ' (• CA12 ranges from Q.9S to 1.0 *) 

"CA23 ■ 0 . 90* DELTA* ( 1 . 0-0 . 90 ) ; ’ {* CA2 1 ranges t rom 0.90 to 1.0 •) 

"CB01 -CA01 ; " (* CBO 1 ranges from 0-99 to 1.0 *) 

(• state space definition. (Array of two identical channels)*) 

SP*CP^(NCA: ARRAY! 1.-2] OF 0..3, (* NCA: Number of operative subsystems In block A *) 

NFA: ARRAY (1.. 2] OF 0..J, (• NFA : Number ot inoperative subsystems in block A •) 

NUA: ARRAY [1.. 2] OF 0 . . 1 , {* NUA : Flag uncovered failures in block A when NUA-1 *) 

NCB : ARRAY] 1.* 2] OF 0..1, (* NCB : Number ot operative subsystems in block B •) 

NFB: ARRAY( 1.. 2 1 °F 0..1); (* NFB : Number ot inoperative subsystems in block B *) 

<* initial state definition •) 

START = (2 OP 3, 2 OF 0 , 2 OP 0, 2 OF 1, 2 OF 0); (* NOA{I] = 3, NFA|I|=0, NUA[ 1 ) 0, NCB(I]=l, NFB(I)=0« 1=0,1 *) 

(* Death state definition •) 

DEATHIP (NFAJ 1 )+NFA(2|>5) (* At least one of block A or block B in each channel is inoperative *> 

OR (NFAf 1 ] + NFB l 2 ) >3 ) 

OR (NFB [ l ] +NFA( 2 )->3 ) 

OR ( NFB [ 1 ] +NFB [ 2 ]>1 ) 

OR ( NUA [ 1 ] +NUA | 2 ] >» 1 ) ; (* Or any uncovered failures *) 

(* State transitions in channel I, 1=1,2 *) 

FOR I IN | 1 , 2 ] ; 

IF ( NFB] I ]=0 ) AND (NPA|1]-0| THEN (■ 1st taiLure in block A *) 

TRANTO NCA[ I |=NCA( l ] — 1 , NFA [ I ] NFA ( I ] »1 , NUA[t]-0 BY NCA| 1 ] *LA*CA01 ; (* covered*) 

TRANTO NCA[ r ]=NCA( I |-1 , NFA [ 1 l NFA l I ] * 1 , NUA[I] = 1 BY NCA| I | *LA* ( 1 -CAQ 1 ) ; (* uncovered *) 

ENDIP; 

r p (HFRI TUO) AND (NFA [ I j - I ) THEN f * 2nd failure in block A * ) 

TRANTO NCA I 1 I =N('A I 1 I — 1 . NFA H I = NFA \ 1 t ♦ 1 . fnJAl I I -0 BY NOAi I i *!A *CA i 2 ; i* covered* ) 

TRANTO NCA[ l |=NCA| 1 |- I . NFA [ I ] - NFA [ I ) + 1 , NUA[I) = 1 BY NCA[ i ] * LA* ( 1 -CA1 2 ) ; (* uncovered *) 

ENDIP; 

IF { NFB] I J -0 ) AND < NFA [ I ] - 2 ) then (• 3rd failure in block A *) 

TRANTO NCA [ I ] =NCA[ 1 ] - 1 , NFA ( I ] -NFA ( I ) + 1 , NUA[I]=0 BY NCA( I ] *LA*CA2 3; (* covered*) 

TRANTO NCA[ I ] =NCA[ I ] — 1 , NFA( I ] =NFA { I ) M , NUA(i)=l BY NCA] I ] *LA* ( 1 -CA23 ) ; (* uncovered *) 

ENDIF: 

IF ( NC B [ 1 1 = 1 ) AND (NCA(I]>0) THEN (* Failure in block B •) 

TRANTO NUA( 1 ] = 0, NCB[ 1 }=NCB| I ]-l . NFB[ I ] =NFB [ I 1 + 1 BY NCB( I ) *LB*CB0 1 ; (• covered*) 

TRANTO NUA(1]~1, NCB{ I ] -NCB ( I ] - 1 , NFB| 1 ] =NFB ( I ] ♦ 1 BY NCB( I ) *I.B* < 1 -CBO 1 ) ; {• uncovered *) 

ENDIP; 

ENDPOR ; 


o FINITE REMOVAL TIMES CAN BE EASILY INCORPORATED 
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o EFFECT OF SIMPLIFICATION 



2G 



• KEY TO ENHANCED RELIABILITY — HIGH COVERAGE 
o CURRENTLY ACHIEVABLE VALUE IN FTFCS? 

— 1 — Coi ~ 10 1 

o IMPROVEMENT DESIRABLE? 

— REDUCTION OF i — Gil BY SEVERAL ORDERS OF MAGNITUDE 
o ADEQUATE VALUE? 

-1 - Coi « n 2 \t„, 

o WHEN THE ABOVE IS ACHIEVED 

— SURE IS NEEDED FOR ACCURACY 
ASSIST IS NEEDED FOR MODELING 

o A BY-PRODUCT OF ASSIST 

—TRANSITION RATE MATRIX OF A MARKOV PROCESS 
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